ECSH82791 - Sanctions for non-compliance: financial penalties: financial penalties framework: groups of related contraventions
Contraventions under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017 ) will in general fall into several groups of related contraventions.
Fundamental requirements
These are the fundamental requirements for having effective anti-money laundering controls in place:
Regulation 18 (1) - failure to identify and assess the risks of money laundering, terrorist financing a business is subject to and to take account of information provided and risk factors.
Regulation 18(4) - failure to keep an up-to-date record in writing of the risk assessment.
Regulation 18(6) - failure to provide the risk assessment when requested.
Regulation 18A(1) – failure to identify and assess the risks of proliferation financing to which its business is subject and take into account information provided and risk factors.
Regulation 18A(4) - failure to keep an up-to-date record in writing of the risk assessment.
Regulation 18A(5)- failure to provide the risk assessment when requested.
Regulation 19 - failure to establish, maintain, regularly review, update, keep a record in writing and communicate the policies, controls and procedures (PCPs) to mitigate and manage the risks of money laundering and terrorist financing identified in the risk assessment undertaken in regulation 18(1). The PCPs must include the criteria set out within regulation 19(3) and 19(4) MLR 2017.
Regulation 19A – failure to establish, maintain, review, update, keep a record in writing and communicate the policies, controls and procedures to mitigate and effectively manage the risks of proliferation financing identified in the risk assessment undertaken in regulation 18A(1) MLR 2017. The PCPs must include the criteria set out within regulation 19A(3) and 19A(4) MLR 2017.
Regulation 20 – failure to apply policies, controls and procedures to subsidiaries and branches in and outside the UK.
Regulation 21(1) – where appropriate in regard to the size and nature of the business, failure to appoint a compliance officer, screen relevant employees and establish an independent audit function.
Regulation 21(3) - failure to appoint a nominated officer.
Regulation 21(4) - failure to notify the identity of and changes to the compliance and nominated officer.
Regulation 21(5) – failure to consider internal disclosures of suspicion.
Regulation 21(7) - failure of a payment service provider to appoint an individual to monitor and manage compliance with, and internal communication of, the policies, controls and procedures adopted under regulation 19.
Regulation 21(8) - failure to establish and maintain systems which enable it to respond fully to enquiries from any person specified in regulation 21(9).
Regulation 26(4) failure of a relevant firm to take reasonable care that no-one is appointed or continues to act as an officer or manager of the business unless regulation 26(4)(a) or (b) apply.
Regulation 26(5) – failure of a sole practitioner to act or continue to act unless regulation 26(5)(a) or (b) apply.
Regulation 26(10) - failure of a relevant firm/approved person to inform HMRC of a conviction for a relevant offence within the specified time.
Regulation 40 - failure to keep the records specified for at least the period specified in regulation 40(3) and provide them when required.
Regulation 41 - failure to provide customers with the required information in relation to data protection or making use of the data for purposes not specified.
Regulation 78(5) - failure of a business or payment service provider to take reasonable care to ensure that a prohibited person does not act or continues to act in a management role.
The decision maker will need to consider whether a type 3 penalty for breaches of regulations 21(4), 26(4), 26(5) and 26(10) is more appropriate.
Fundamental customer due diligence measures
Regulation 27 - failure to apply customer due diligence measures when required.
Regulation 28(2) - failure to identify and verify the customer and assess the purpose and intended nature of the business relationship or occasional transaction.
Regulation 28(3) - failure to obtain, determine and verify details as specified where the customer is body corporate.
Regulation 28(3A) - failure to take reasonable measures to understand the ownership and control of a customer who is a legal person, trust, company, foundation or similar legal arrangement.
Regulation 28(4) - failure to identify and take reasonable measures to verify the identity of the beneficial owner.
Regulation 28(8) -failure to keep records of steps taken to identify the beneficial owner of a corporate body, where regulation 28(7) MLR 2017 applies.
Regulation 28(10) - failure to identify and verify a person purporting to act on behalf of the customer and to verify their authority to act.
Regulation 28(11) - failure to conduct ongoing monitoring of a business relationship.
Regulation 28(12) - failure to take account of the risk assessment and level of risk when taking customer due diligence measures.
Regulation 30 - failure to comply with the requirements on timing of verification.
Regulation 30A – failure to report any discrepancies to the registrar of companies between information held on the beneficial ownership of a customer, as a result of customer due diligence, and information on the register.
Regulation 33 - failure to apply enhanced customer due diligence and enhanced ongoing monitoring where required.
Regulation 35(1) – failure to have appropriate risk management systems and procedures to determine whether a person is a politically exposed person (PEP) or a family member or known close associate of a PEP and to manage the enhanced risk of the business relationship or transactions.
Regulation 35(5) – failure to have approval from senior management for establishing or continuing a business relationship with a PEP, take adequate measures in relation to establishing source of wealth and source of funds and conduct enhanced ongoing monitoring of the business relationship.
Regulation 37 - failure to apply simplified customer due diligence appropriately taking account of the risk assessment, information provided to it and the risk factors.
Regulation 39(2) - failure to use reliance appropriately and to obtain the customer due diligence information from the person relied on and to enter into arrangements as required.
Other customer due diligence measures
Regulation 31 – failure to cease a transaction, not establish a business relationship, or failure to terminate an existing business relationship etc where a relevant person is unable to apply customer due diligence measures and failure to consider whether a disclosure is required in the above circumstances
Other breaches
Regulation 24 – failure to take appropriate measures to ensure relevant employees and agents are made aware of the law relating to money laundering, terrorist financing or proliferation financing (ML/TF/PF) and data protection requirements, regularly trained on how to recognise and deal with transactions which may be related to ML/TF/PF and to maintain a written record of the measures taken to train relevant employees and agents.
Registration breaches
Regulation 56 (1) and (5) - failure of a relevant person to be included in the appropriate register.
Regulation 57(1) - failure to provide the specified information at registration.
Regulation 57(4) - failure to notify changes affecting registration or subsequent information within the specified time.
The decision maker will need to consider whether a type 2 or type 3 penalty for breaches of regulations 56 and 57 MLR 2017 above is more appropriate.